Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Businesses Security The Military IT

Meet the Hackers Who Get Rich Selling Spies Zero-Day Exploits 158

Posted by samzenpus
from the selling-to-the-man dept.
Sparrowvsrevolution writes "Forbes profiles Vupen, a French security firm that openly sells secret software exploits to spies and government agencies. Its customers pay a $100,000 annual fee simply for the privilege of paying extra fees for the exploits that Vupen's hackers develop, which the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word. Those individual fees often cost much more than that six-figure subscription, and Vupen sells them non-exclusively to play its customers off each other in an espionage arms race. The company's CEO, Chaouki Bekrar, says Vupen only sells to NATO governments and 'NATO partners' but he admits 'if you sell weapons to someone, there's no way to ensure that they won't sell to another agency.'"
This discussion has been archived. No new comments can be posted.

Meet the Hackers Who Get Rich Selling Spies Zero-Day Exploits

Comments Filter:
  • Damn... (Score:5, Funny)

    by cayenne8 (626475) on Wednesday March 21, 2012 @03:03PM (#39432353) Homepage Journal
    That's serious money...

    The question is...how do "I" get into that??!?

    :)

    Hacking stuff, and protected by 'NATO' government paying you handsomely for the 'service'.

    sweet...

    • Re:Damn... (Score:5, Insightful)

      by lennier (44736) on Wednesday March 21, 2012 @03:23PM (#39432653) Homepage

      The question is...how do "I" get into that??!?

      1. Write any sufficiently large piece of C++ code
      2. Wait
      3. Get rooted by the black hats
      4. Find out which trivially-detectable-if-you'd-used-a-decent-language error the black hats found in your code and sell it to NATO
      5. Profit!

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Because we all know that programs written in interpreted languages never have bugs nor do their VMs or interpreters.

      • Re:Damn... (Score:4, Insightful)

        by morcego (260031) on Wednesday March 21, 2012 @04:08PM (#39433247)

        What's next ? My dog ate my boundary checking ?

        Seriously, blaming the language for the coding bug is one of the lamest things I've ever heard. Bugs (exploitable or not) will be found on any sufficiently large piece of code, written in any language. Heck, there were 1 or 2 cases of bugs introduced by the compiler.

        The real problem is that companies need to get the software out "fast". It is cheaper for the company to fix the code after it is released and payed for, and to keep developing out of it own pockets. It is that simple.

      • by rtb61 (674572)

        'Erm' not to put ton fine a point on it but, management username password and an external log in are sufficient to get in on the act. Once in the world of organised crime, the simplest, most direct solutions are often the most effective.

        So obtain access to and extract from, the holder of management user name and password and within the hour gain access to thousands of hours of cracking effort. You want to play you will always end up paying.

    • by mjwalshe (1680392)
      Many Security services do now do open recruitment look up the appropriate website - I would imagine in France going to ENA might help.
    • by Geek70 (2503888)
      Would you really want to? I would imagine that every single person working there is having every aspect of their life watched by a whole range of governments/agencies. Great place if you have no love of personal privacy!
    • by Anonymous Coward

      Not wasting your time posting on retarded news websites might be a good start

  • by asdbffg (1902686) on Wednesday March 21, 2012 @03:05PM (#39432367)
    Norton keeps me safe.
    • by Cazekiel (1417893)

      I keep seeing this, lolloplexing, scrolling down to read more... scrolling up, MORE lol; you gave the gift that keeps on giving.

    • Yes, but the extra 5 minutes it takes to copy a small text file from one location of your SATA-3 SSD to another is a bit of a deal breaker.

  • I think it will be interesting to see how the governments of the world start to evolve around this new threat.
  • by girlintraining (1395911) on Wednesday March 21, 2012 @03:06PM (#39432391)
    Step 1. Paint giant bullseye on the top of your corporate office. Write "Insert bomb here," repeatedlty around the edge.
    Step 2. Sell digital goods that can be used by sovereign powers to wage war on each other to both sides.
    Step 3. ???
    Step 4. Profi--Error: Connection reset by peer
  • by hjf (703092) on Wednesday March 21, 2012 @03:07PM (#39432417) Homepage

    Oh, they only sell to NATO, right? You know, you can TRY to lie to us, but in the end, lying to the CIA is the same as lying to yourself. They know you sell to Iran, China, and every other regime out there.

    You're on a shady enough business not to sell to the best offer.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Even if they do only sell to NATO, NATO governments haven't exactly had a stellar history of respecting human rights in the past decade.

      • by elucido (870205)

        Even if they do only sell to NATO, NATO governments haven't exactly had a stellar history of respecting human rights in the past decade.

        What government respects human rights?

        If they don't sell their exploit to NATO who should they sell them to? The FBI?

      • Even if they do only sell to NATO, NATO governments haven't exactly had a stellar history of respecting human rights in the past decade.

        Compared to who? I'm pretty sure NATO collectively ranks at the very top of human rights respect on this planet.

        • by L4t3r4lu5 (1216702) on Thursday March 22, 2012 @04:02AM (#39438379)

          Compared to who? I'm pretty sure NATO collectively ranks at the very top of human rights respect on this planet.

          Well put. Furthermore, Harold Shipman is my choice of Serial Killer of the Year, as he only ended the lives of the elderly and infirm, and in a humane fashion.

          • Well put. Furthermore, Harold Shipman is my choice of Serial Killer of the Year, as he only ended the lives of the elderly and infirm, and in a humane fashion.

            And he is abominable as compared to the billions of people that don't murder anyone at all.

        • by CAIMLAS (41445)

          Well, compared to... pretty much everyone.

          Every single NATO-organized operation has not only been a significant failure, but human rights violations have been atrocious. This is more true with the smaller operations involving soldiers from non-Western countries in other non-Western countries. Complete... cluster... fuck.

    • Of course they sell to Iran, China, et al.. And the CIA and MI5 *help* them with the code they write, especially the code they sell to others. Backdoors in the backdoors.

    • NATO, and out of the back of a white van, to people whose accents place them from various countries on the 'Naughty List.'

  • Kind of shady? (Score:5, Insightful)

    by K. S. Kyosuke (729550) on Wednesday March 21, 2012 @03:07PM (#39432421)
    I mean, aren't there laws against doing things like hacking into computers you don't own? Isn't this aiding in a crime? The last time I checked, even government agencies were obliged not to break laws.
    • by Desler (1608317) on Wednesday March 21, 2012 @03:11PM (#39432473)

      Your post is so cute. You actually think they care.

    • There are also laws against doing things like shooting an unarmed person in the head, aka assassination, but if a soldier hears his superior yell "fire", he shoots, no questions asked. In theory, the govt. abides by its own laws, in practice, 'national security' trumps all laws, and even the courts have agreed, allowing the govt. to withhold evidence on the basis of national security. Govt: "He's guilty!" Judge: "why?" Govt: "We'd like to tell you why, but that harms national security." Judge: "oh, oka

      • Re:Kind of shady? (Score:5, Insightful)

        by Real_Reddox (1010195) on Wednesday March 21, 2012 @03:22PM (#39432635) Journal

        if a soldier hears his superior yell "fire", he shoots, no questions asked.

        As a soldier, I can only note your lack of insight in how the military works.

        • Care to elaborate?
      • by lennier (44736)

        There are also laws against doing things like shooting an unarmed person in the head, aka assassination, but if a soldier hears his superior yell "fire", he shoots, no questions asked.

        And that's precisely why I don't "support the troops" qua troops. Cyber or otherwise. If you aren't allowed to question orders to harm and kill, you're not allowed to be a free and ethical human being. Why are we (why are Republicans of all people!) still glorifying an institution which practices slavery in the 21st century?

    • by Iniamyen (2440798)
      The laws only apply if you are hacking into computers you don't own in order to download The Hurt Locker.
    • by X0563511 (793323)

      Silly citizen, gov't agents are above the law.

    • Re:Kind of shady? (Score:5, Insightful)

      by PPH (736903) on Wednesday March 21, 2012 @03:20PM (#39432613)

      even government agencies were obliged not to break laws.

      Unless we're at war.

      We're always at war.

      • by NIN1385 (760712)
        Mod up please.

        This is the problem with the "war or terror". There is no end, the US government will never be able to declare a victory over this enemy. This plays right into their grand scheme of things, they have a free pass to do whatever they want anywhere in the world and the perfect terrorist attack to justify it.

        This is why you will never see a real investigation into the events of September 11th, if there were ever any highly publicized cracks in the story of what happened that day it would bri
      • by Noughmad (1044096)

        even government agencies were obliged not to break laws.

        Unless we're at war.

        We're always at war.

        We've always been at war.

    • How do you prove it?

    • by Anonymous Coward

      Who said anything about hacking into someone else's computer? Discovering exploits is not a crime.

    • Just to play devils advocate, they're selling exploits. You need not hack machines that do not belong to you to develop exploits.
      Are they not in some sense selling knowledge? Since when is that illegal? (State secrets and whatnot aside).

      I don't agree with it, but I'm just saying.
    • It is also a crime to wiretap someone, but the police do it all the time. Judges can grant warrants to allow law enforcement agencies to do otherwise illegal things.
    • by elucido (870205)

      I mean, aren't there laws against doing things like hacking into computers you don't own? Isn't this aiding in a crime? The last time I checked, even government agencies were obliged not to break laws.

      Government agencies don't believe in any laws besides the law of might. If they want to do it they do it just as long as they have the force to get away with it.

    • I mean, aren't there laws against doing things like hacking into computers you don't own? Isn't this aiding in a crime? The last time I checked, even government agencies were obliged not to break laws.

      You've got it all wrong. I'm sure they hack into their own computers, nothing illegal there. Then they sell the knowledge of these exploits to their customers in order to protect them from these weaknesses. Now, if someone in one of those agencies "goes against policy" and uses these exploits against someone else, how is it their fault?

    • by Alarash (746254)
      Pretty sure you can turn this around saying it's for defense purposes, or "research." Isn't "security researcher" the official term for "white hat" ?
  • ... if the government (or a private firm working for the government) does it.

    Please remember this the next time a cop kicks you in the face.

  • Exploit to exploit (Score:5, Insightful)

    by WinstonWolfIT (1550079) on Wednesday March 21, 2012 @03:10PM (#39432459)

    Wow. That puts huge incentive on planting moles in projects with wide distribution simply for the aim of writing exploitable code.

    • by elucido (870205)

      Wow. That puts huge incentive on planting moles in projects with wide distribution simply for the aim of writing exploitable code.

      Agencies probably already do that to save money having to pay these guys.

    • That is what I have been wondering.

      How many open source projects / commercial products are compromised by 3 letter agency insiders? Yeah we can 'look at the source' for some software but I have no pretenses on most anyone being able to find a backdoor left in by the best of the best that MIT / NSA etc have to offer. And with an unlimited budget to boot...

      I know if I was in charge id just make sure to get my code into Flash installers, Webkit, MS Office, and a few of the most popular linux packages and call

  • by Animats (122034) on Wednesday March 21, 2012 @03:10PM (#39432461) Homepage

    "To give arms to all men who offer an honest price for them, without respect of persons or principles: to aristocrat and republican, to Nihilist and Tsar, to Capitalist and Socialist, to Protestant and Catholic, to burglar and policeman, to black man white man and yellow man, to all sorts and conditions, all nationalities, all faiths, all follies, all causes and all crimes." - Undershaft

  • I wonder if they ever go from providing exploits to "remote controlled product support".
  • Isn't this a violation of the DMCA?
    • by Desler (1608317)

      They're a French company...

      • Still, if the US can extradite Vladimir Zdorovenin and Gary McKinnon (let alone, Julian Assange) for their purported violation of US laws while outside the US, then the US should be able to extradite the execs of this company. Right?
  • by swb (14022) on Wednesday March 21, 2012 @03:22PM (#39432641)

    And not just for their offices, but for their homes and the homes, schools and offices of their families, friends and anyone else they might care about.

    It strikes me that these are people you don't want to try to play around with and that some might try to influence you to give a better deal to their side than another side, perhaps using things like pictures of your kids walking to school or your wife gardening.

    • And not just for their offices, but for their homes and the homes, schools and offices of their families, friends and anyone else they might care about.

      It strikes me that these are people you don't want to try to play around with and that some might try to influence you to give a better deal to their side than another side, perhaps using things like pictures of your kids walking to school or your wife gardening.

      There is no easy way for hackers to make money. You'll have to sell to the spies or you don't make money at all because the spies are the ones with the money to pay for security researchers.

      As far as them trying to influence for a better deal or exclusive deal this much is obvious.

    • by Anonymous Coward

      Why is this modded redundant? I am in ITSec yet am valued more for my knowledge about physical security and it's deep implications. Go ahead go take a look at a light primer: Locks, Safes, and Security by Marc Weber Tobias; then come back and say it is redundant.

      • by elucido (870205)

        Why is this modded redundant? I am in ITSec yet am valued more for my knowledge about physical security and it's deep implications. Go ahead go take a look at a light primer: Locks, Safes, and Security by Marc Weber Tobias; then come back and say it is redundant.

        But if you know about physical security then you know in most workplaces it barely exists. You've got to secure the entire electromagnetic spectrum, worry about biological attacks, chemical attacks, psychological, and social engineering attacks on top of the technical exploits, lock picking, etc.

        These individuals in this company wouldn't be in the business they are in if they didn't have physical security of some sort. They have as little physical security as everyone else has, but perhaps they are aware of

  • by Anonymous Coward

    "'if you sell weapons to someone, there's no way to ensure that they won't sell to another agency.'""

    Or worse!

    Zorg: I hate warriors, too narrow-minded. I'll tell you what I do like though: a killer, a dyed-in-the-wool killer. Cold blooded, clean, methodical and thorough. Now a real killer, when he picked up the ZF-1, would've immediately asked about the little red button on the bottom of the gun.

    [Scene shifts to Aknot, who is staring in confusion at the little red button. He shrugs and pushes it]

    Zorg: [Casu

  • the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word.

    NUUU not my slash!fic!! No touching my pr0n!

    Oh wait, Microsoft Word required my first-born for payment, so I downloaded OpenOffice. Not on the list, MY PR0N IS SAFE.

  • As long as the government agencies don't use them within their own territories against their own citizens then it's fine.
  • Perspective: Inside Cisco's eavesdropping apparatus

    By Declan McCullagh | April 21, 2003 4:00 AM PDT
    - http://news.cnet.com/2010-1071-997528.html?tag=fd_nc_1 [cnet.com]

    "Cisco Systems has created a more efficient and targeted way for police and intelligence agencies to eavesdrop on people whose Internet service provider uses their company's routers.

    The company recently published a proposal that describes how it plans to embed "lawful interception" capability into its products. Among the highlights: Eavesdropping "must be

  • Might Vupen have been the ones that discovered the exploits used by Duqu & Stuxnet? If they were, then they might know who created Duqu & Stux.
  • I admit it's good enough for one security researcher, or maybe 1.5, but it's not rich.

    If we are talking about millions of dollars then we are talking rich.

    • 100k per customer. Multiply by x, with x being everyone and anyone willing and able to join the cyber arms race.

      Plus, those 100k are the admission ticket, not the ride fee. Actually getting informed about an exploit and how it works costs extra, and then you WISH it was just 100k...

      • by elucido (870205)

        100k per customer. Multiply by x, with x being everyone and anyone willing and able to join the cyber arms race.

        Plus, those 100k are the admission ticket, not the ride fee. Actually getting informed about an exploit and how it works costs extra, and then you WISH it was just 100k...

        If it's profitable to do things this way then this might be the beginning of a new industry.

    • by Khashishi (775369) on Wednesday March 21, 2012 @04:17PM (#39433345) Journal

      That's just the membership fee. How much is the actual product?

  • Just a reminder (Score:4, Insightful)

    by Opportunist (166417) on Wednesday March 21, 2012 @04:11PM (#39433277)

    When you're extorting, don't get greedy. At some point it's cheaper to just get rid of you than to pay you.

    • by elucido (870205)

      When you're extorting, don't get greedy. At some point it's cheaper to just get rid of you than to pay you.

      So who is going to do the getting rid of? Google?

      Also it's not extortion. Bug testing is Googles job not ours. Finally you have all these agencies that want to buy exploits so it's more like weapons trading but thats basically what the defense industry does anyway. I don't see how this would be extortion but selling missiles to a NATO country isn't?

  • by Anonymous Coward on Wednesday March 21, 2012 @05:14PM (#39433957)

    Check out this company: Siege Technologies (http://www.siegetechnologies.com/). I had never heard of them before and have no idea how big they are. But they openly advertise that they have a "Vulnerability Discovery Incentive Plan" in their benefit package (http://www.siegetechnologies.com/careers).

    They claim to do work for private companies and the U.S. government. They advertise a "Five year contract awarded to provide DoD with training material on Offensive/Defensive Windows Kernel Security and Development" and are advertising for jobs looking for Reverse Engineers.

  • Figures, they're surrendering before it even becomes an issue.

What this country needs is a dime that will buy a good five-cent bagel.

Working...